When a Password Replication Policy is enabled and a user or computer account is in the allowed RODC password replication group, a password is replicated and cached on Read-Only Domain Controller when a branch user login for the first time. The RODC authenticates the branch users and computers for subsequent logins without forwarding requests to the main (writeable) DC. However, with a built-in feature, you can prepopulate and cache users and accounts on the RODC before they attempt to log in.
Before you prepopulate passwords, it is mandatory that those user and computer accounts are in the list of allowed RODC password replication group. In this guide, we will look into the feature of prepopulating passwords on Read-Only domain controller Windows Server 2016 by using server manager and PowerShell.
Prepopulating Passwords On Read-Only Domain Controller Windows Server 2016 Using Server Manager
Step 1. Open server manager dashboard. Click Tools -> Active Directory Users and Computers.
Step 2. Click Domain Controllers. On the right pane, right-click Read-Only Domain Controller computer account and then click Properties.
Step 3. Go to Password Replication Policy tab and double-click Allowed RODC Password Replication Group.
Step 4. Click Add.
Step 5. Enter the user or computer account you wish to add to Allowed RODC Password Replication Group. Click OK.
Step 6. Click Apply and then OK.
Step 7. Click Advanced.
Step 8. Click Prepopulate Passwords.
Step 9. Enter the user or computer account you wish to populate their password and click OK.
Step 10. Click Yes in the confirmation window.
Step 11. Wait for the wizard to finish.
Step 12. Click OK.
Configuring Credential Caching On Read-Only Domain Controller Windows Server 2016 Using PowerShell
Step 1. Open PowerShell with elevated privileges.
Step 2. Execute the following command to add user and computer accounts in Allowed RODC Password Replication Group.
Add-ADGroupMember "Allowed RODC Password Replication Group" meazhar
Step 3. Execute the following script to pre-populate passwords of all users in Students OU.
$users = Get-ADUser -SearchBase "OU=Students,dc=yourdomain,dc=com" -Filter *
foreach ($user in $users) {
$id = get-adobject -identity $user
Sync-ADObject -object $id.DistinguishedName -Source SERVER2016 -Destination SRV-01RODC -PasswordOnly
}
